secure the grpc client (#1215)
* secure the grpc client * make compile * Add system cert pool * Revert manually adding ca certs * Tweak comment Co-authored-by: ben-toogood <bentoogood@gmail.com>
This commit is contained in:
parent
b00167520c
commit
f91ec84d59
30
grpc.go
30
grpc.go
@ -5,7 +5,9 @@ import (
|
|||||||
"context"
|
"context"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"net"
|
||||||
"os"
|
"os"
|
||||||
|
"strings"
|
||||||
"sync/atomic"
|
"sync/atomic"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
@ -36,14 +38,36 @@ func init() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// secure returns the dial option for whether its a secure or insecure connection
|
// secure returns the dial option for whether its a secure or insecure connection
|
||||||
func (g *grpcClient) secure() grpc.DialOption {
|
func (g *grpcClient) secure(addr string) grpc.DialOption {
|
||||||
|
// first we check if theres'a tls config
|
||||||
if g.opts.Context != nil {
|
if g.opts.Context != nil {
|
||||||
if v := g.opts.Context.Value(tlsAuth{}); v != nil {
|
if v := g.opts.Context.Value(tlsAuth{}); v != nil {
|
||||||
tls := v.(*tls.Config)
|
tls := v.(*tls.Config)
|
||||||
creds := credentials.NewTLS(tls)
|
creds := credentials.NewTLS(tls)
|
||||||
|
// return tls config if it exists
|
||||||
return grpc.WithTransportCredentials(creds)
|
return grpc.WithTransportCredentials(creds)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// default config
|
||||||
|
tlsConfig := &tls.Config{}
|
||||||
|
defaultCreds := grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig))
|
||||||
|
|
||||||
|
// check if the address is prepended with https
|
||||||
|
if strings.HasPrefix(addr, "https://") {
|
||||||
|
return defaultCreds
|
||||||
|
}
|
||||||
|
|
||||||
|
// if no port is specified or port is 443 default to tls
|
||||||
|
_, port, err := net.SplitHostPort(addr)
|
||||||
|
// assuming with no port its going to be secured
|
||||||
|
if port == "443" {
|
||||||
|
return defaultCreds
|
||||||
|
} else if err != nil && strings.Contains(err.Error(), "missing port in address") {
|
||||||
|
return defaultCreds
|
||||||
|
}
|
||||||
|
|
||||||
|
// other fallback to insecure
|
||||||
return grpc.WithInsecure()
|
return grpc.WithInsecure()
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -116,7 +140,7 @@ func (g *grpcClient) call(ctx context.Context, node *registry.Node, req client.R
|
|||||||
grpcDialOptions := []grpc.DialOption{
|
grpcDialOptions := []grpc.DialOption{
|
||||||
grpc.WithDefaultCallOptions(grpc.ForceCodec(cf)),
|
grpc.WithDefaultCallOptions(grpc.ForceCodec(cf)),
|
||||||
grpc.WithTimeout(opts.DialTimeout),
|
grpc.WithTimeout(opts.DialTimeout),
|
||||||
g.secure(),
|
g.secure(address),
|
||||||
grpc.WithDefaultCallOptions(
|
grpc.WithDefaultCallOptions(
|
||||||
grpc.MaxCallRecvMsgSize(maxRecvMsgSize),
|
grpc.MaxCallRecvMsgSize(maxRecvMsgSize),
|
||||||
grpc.MaxCallSendMsgSize(maxSendMsgSize),
|
grpc.MaxCallSendMsgSize(maxSendMsgSize),
|
||||||
@ -194,7 +218,7 @@ func (g *grpcClient) stream(ctx context.Context, node *registry.Node, req client
|
|||||||
grpcDialOptions := []grpc.DialOption{
|
grpcDialOptions := []grpc.DialOption{
|
||||||
grpc.WithDefaultCallOptions(grpc.ForceCodec(wc)),
|
grpc.WithDefaultCallOptions(grpc.ForceCodec(wc)),
|
||||||
grpc.WithTimeout(opts.DialTimeout),
|
grpc.WithTimeout(opts.DialTimeout),
|
||||||
g.secure(),
|
g.secure(address),
|
||||||
}
|
}
|
||||||
|
|
||||||
if opts := g.getGrpcDialOptions(); opts != nil {
|
if opts := g.getGrpcDialOptions(); opts != nil {
|
||||||
|
Loading…
Reference in New Issue
Block a user